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Given a synchronous system, we study the question whether the behaviour of that system can be 
exhibited by a (non-trivially) distributed and hence asynchronous implementation. In this paper 
we show, by counterexample, that synchronous systems cannot in general be implemented in an 
asynchronous fashion without either introducing an infinite implementation or changing the causal 
structure of the system behaviour. 

keywords: asynchrony, distributed systems, causal semantics, Petri nets 

1 Introduction 

It would be desirable - from a programming standpoint - to design systems in a synchronous fashion, 
yet reap the benefits of parallelism by means of an (ideally automatically generated) asynchronous im- 
plementation executed on multiple processing units in parallel. We consider the question under which 
circumstances such an approach is applicable, or equivalently, what restrictions must be placed on the 
synchronous design in order that it may be simulated asynchronously. 

We formalise this problem by means of Petri nets (Section©, a semi-structural requirement (Section 
[3]) on Petri nets to enforce asynchrony in the implementation, and an equivalence relation (Section HJ) 
on possible Petri net behaviours to decide whether a candidate implementation is indeed faithful to the 
synchronous specification. 

Countless equivalence relations for system behaviour have already been proposed. When comparing 
the strictness of these equivalences, as done in JH or J3j , and exploring the resulting lattice, one finds 
multiple "dimensions" of features along which such an equivalence may be more or less discriminating. 
The most prominent one is the linear-time branching-time axis, denoting how well the decision structure 
of a system is captured by the equivalence. Another dimension relevant to this paper is that along which 
the detail of the causal structure increases. On the first of these two dimensions, we would at the very 
least like to detect deadlocks introduced by the implementation, on the second one, at least a reduction 
in concurrency due to the implementation. As every (non-trivial) implementation will introduce internal 
T-transitions, a suitable equivalence must abstract from them, as long as they do not allow a divergence. 
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Figure 1 : A fully reached, pure M, the problematic structure from |4l 
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Figure 2: A repeated pure M. A finite, 1-safe, undistributable net used as a running counterexample. 



[4] answers part of the question of distributed implementability for a certain equivalence of this spec- 
trum, namely step readiness equivalence. Step readiness equivalence is one of the weakest equivalences 
that respects branching time, concurrency and divergence to some degree but abstracts from internal 
actions. For this equivalence we derived an exact characterisation of asynchronously implementable 
("distributable") Petri nets. The main difficulty in implementing arbitrary Petri nets up to step readiness 
equivalence is a structure called pure M, depicted in Figure [T] where two parallel transitions are in pair- 
wise conflict with a common third. By H a synchronous net is distributable only if it contains no fully 
reachable pure M. The other direction needed for exactness has not been published yet, as the only as of 
yet existing proofs utilises an infinite implementation. 

Using the strictly weaker completed step trace equivalence, iflOl proved any synchronous net to be 
distributable. Comparing these two results and the given implementation in the latter we made a very 
interesting observation: We were unable to find an implementation of a synchronous net with a fully 
reachable pure M which did not introduce additional causal dependencies. 

In this paper we show that this drawback holds for any sensible encoding of synchronous interactions, 
i.e., it is a general phenomenon of encoding synchrony. We reach that result by extending the pure M of 
Figured] into a repeated pure M, depicted in Figure 12 We thereby get a separation result similar to H 
along a different, namely the causal, dimension of the spectrum of behavioural equivalences. 

We introduce basic Petri net concepts in Section [2l then turn to recounting the definition of dis- 
tributability in Section [3] Afterwards we introduce completed pomset trace equivalence in Section [4] 
justify it by means of illustrative examples, and use it in Section [5] to prove the impossibility of imple- 
menting general Petri nets while respecting causality. Finally Section[6]concludes. 



J.-W. Schicke, K. Peters & U. Goltz 



121 



2 Basic Notions 

Most material in this section has been taken verbatim or with minimal adaptation from or ifTOll . 
Where dealing with tuples, we use pr 1; pr 2 , ... as the projection functions returning the first, second, . . . 
element respectively. We extend these functions to sets element-wise. 

Definition 1. Let Act be a set of visible actions and % g" Act be an invisible action. 
A labelled net (over Act) is a tuple N = (S, T,F,Mq,£) where 

• 5 is a set (of places), 

• T is a set (of transitions), 

• F QSxTUT xS (the flow relation), 

• Mq C 5 (the initial marking) and 

• I :T — >• Act U {t} (the labelling function). 

A net is called finite iff S and T are finite. 
Petri nets are depicted by drawing the places as circles, the transitions as boxes containing the respective 
label, and the flow relation as arrows (arcs) between them. When a Petri net represents a concurrent 
system, a global state of such a system is given as a marking, a set of places, the initial state being Mq. 
A marking is depicted by placing a dot (token) in each of its places. The dynamic behaviour of the 
represented system is defined by describing the possible moves between markings. A marking M may 
evolve into a marking M' when a nonempty set of transitions G fires. In that case, for each arc (s,t) G F 
leading to a transition t in G, a token moves along that arc from s to t. Naturally, this can happen only 
if all these tokens are available in M in the first place. These tokens are consumed by the firing, but also 
new tokens are created, namely one for every outgoing arc of a transition in G. These end up in the places 
at the end of those arcs. A problem occurs when as a result of firing G multiple tokens end up in the same 
place. In that case M' would not be a marking as defined above. In this paper we restrict attention to nets 
in which this never happens. Such nets are called 1-safe. Unfortunately, in order to formally define this 
class of nets, we first need to correctly define the firing rule without assuming 1-safety. Below we do this 
by forbidding the firing of sets of transitions when this might put multiple tokens in the same place. 

To help track causality throughout the evolution of a net, we extend the usual notion of marking to 
dependency marking. Within these dependency markings, every token is augmented with the labels of 
all transitions having causally contributed to its existence. The other basic Petri net notions presented 
here have been extended in the same manner. While it might seem more natural to annotate the causal 
history of the tokens by a partial order, we only use a set here in order to keep the number of reachable 
markings finite for finite nets (a property a later proof will utilise). 

We denote the preset and postset of a net element x G 5 U T by 'x := {y \ (y,x) G F} and x* := 
{y I (x,y) £ F} respectively. These functions are extended to sets in the usual manner, i.e. 'X := {y \ 
ye'x, xgX}. 

Definition 2. Let N = (S,T,F,M ,£) be a net. Let Afi,Af 2 C5x CP(Act). 
GCr,G/0,is called a dependency step from M\ to M 2 , Mi [G)nMi, iff 

• all transitions contained in G are enabled, i.e. 

Vf G G't Cpr^Mi) A(pr 1 (Mi)\ , f)n?* = , 

• all transitions of G are independent, that is not conflicting: 

Vf,M G G,f ^ u.'tn'u = At'Du' = , 
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• causalities are extended by the labels of the firing transitions: 
M 2 ={peM 1 \vr 1 (p)g'G}U 

*,({/(*)} \{*})U U ^(p) 
peM\ Apr 1 (p)e*r 



t G G,s G f* 



Applying prj to a dependency marking results in the classical Petri net notion of marking and similar for 
the other notions introduced in this section. We will however mainly employ the versions defined here 
and drop the qualifier "dependency" most of the time. A token (s,P) G M is ^-dependent iff Q C P and 
(^-independent iff P D Q = 0. 

To simplify the following argumentation we use some abbreviations, denotes a labelled step 

on a single transition labelled 11. =^v denotes a step on a surrounded by arbitrary T-steps, i.e., =>a? 
abstracts from T-steps. 

Definition 3. Let N = (S,T,F,M ,£) be a labelled net. 

We extend the labelling function £ to (multi)sets element-wise. 

— >n Q 9(S x T(Act)) x N Act x y(S x 3>(Act)) is given by 
Mi -^ N M 2 ^3G<ZT.Mi [G) N M 2 AA = £(G) 

-^n £ y ( 5 x ^(Act)) x 3>(S x 9 (Act)) is defined by 
Mi -^vM 2 ^aGr.£(f) = TAMi M 2 



C 3>(5 x y(Act)) x Act* x 3>(S x J'(Act)) is defined by 



. . a\a% -a n % * {a\\ z * {02} % * T * {«ni T * , . 
Mi > jy A?2 w M ^JV >JV >/V ^Af ' " ' >N >N M 2 

where — ^ denotes the reflexive and transitive closure of — 
We omit the subscript N if clear from context. 

A A A -h A 

We write My — > N for 3M 2 .Mi — > N M 2 , Mi -*—>n for ±M 2 .Mi — > N M 2 and similar for the other two 
relations. Likewise Mi [G)n abbreviates 3M 2 .Mi [G)nM 2 . A marking Mi is said to be reachable iff there 
is a sequence of labels o G Act* such that Mo x {0} ==>n M\. The set of all reachable markings is 
denoted by [Mo) a?. 

As said before, here we only want to consider 1-safe nets. Formally, we restrict ourselves to contact- 
free nets, where in every reachable marking Mi G [Mo) for all t G T with *t C prj (Mi) 

(pr 1 (Mi)\V)m* = 0. 

For such nets, in Definition |2] we can just as well consider a transition t to be enabled in M iff *t C prj (M), 
and two transitions to be independent when *tn'u = 0. 



3 Distributed Nets 

After having introduced Petri nets in general, we still need to find a notion of such a net being distributed 
before being able to answer the question of distributed implementability. A straightforward approach is 
to assign to each net element a location, place sensible restrictions on arrows crossing location borders, 
and restrict the sets of net elements being allowed to reside on the same location. 

We will regard locations as sequential execution units of the underlying system, each one able to 
execute at most one action during each step. This necessitates that no pair of transitions firing in the 
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Figure 3: A centralised implementation of Figure |2j location borders dotted. 

same step can reside on the same location. Additionally, if locations are indeed physically apart as their 
name suggests, communication between them can only proceed asynchronously. 

We discussed a very similar notion of distribution in J4[, whence the following description and def- 
inition of the present version have been derived from. The central insight from that paper is that the 
synchronous removal of tokens from preplaces of a transition is essential to the conflict resolution taking 
place between multiple enabled transitions and that hence transitions must reside on the same location 
as their preplaces. 

We model the association of locations to the places and transitions in a net N = (S,T,F,Mq,£) as a 
function D : SU T — > Loc, with Loc a set of possible locations. We refer to such a function as a distribution 
of N. Since the identity of the locations is irrelevant for our purposes, we can just as well abstract from 
Loc and represent D by the equivalence relation =d onSVJT given by x =d y iff D(x) = D(y). 

Definition 4. Let AT = (S,T,F,M Q ,£) be a net. 

The concurrency relation ^ C T 2 is given by t t A 3M € [Mq) M[{t ,u}) . N is distributed iff 
it has a distribution D such that 

• Vs G S, t G T.s G 't t = D s, 

• t ^ u t u. 

It is straightforward to give a semi-structural^] characterisation of this class of nets: 

Observation 1. 

A net is distributed iff there is no sequence to,...,t n of transitions with to ^ t n and n */; ^ for 
i = 1 , . . . , n. 

4 Completed Pomset Trace 

We now motivate the equivalence relation used for the rest of the paper by means of highlighting some 
possible shortcomings of implementations one would intuitively like to avoid. 

When trying to implement a synchronous Petri net by a distributed one, one of the easiest approaches 
is central serialisation of the entire original net by introduction of a single new place connected with loops 
to every transition, thereby vacuously fulfilling the requirement that no parallel transitions may reside 
on the same location. This clearly loses parallelism. We illustrate in Figure [3] the result of applying 
a slightly more intricate variant of this scheme, where every visible step of the original still exists in 



mainly structural, but with a reachability side-condition 
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Figure 4: A locally deadlocking implementation of Figure |2l location borders dotted. 

the implementation, to the repeated pure M. Nonetheless, this approach is intuitively not scalable, as 
all decisions made concurrently in the original net are now made in sequence. In particular, the parts 
of the net firing a were completely independent of those parts firing c in the specification, while being 
connected trough the central place in the implementation. Such new dependencies can be detected if the 
causal dependencies between events are included in the behavioural description of a net. Apart from the 
obvious implications for scalability, if a Petri net is used as an abstract description of a more concrete 
system, a new dependency might enable interactions between different parts of the system the designer 
did not take into account. Hence we would like to disallow such a strategy by means of the equivalence 
between specification and implementation. 

No such causalities are introduced by the implementation in Figure [4] There however, one of the 
cycles of a's or c's may spontaneously decide to commit to the b action and wait until the other does 
likewise, resulting in what is essentially a local deadlock. Compared to the original net, where a stayed 
enabled until b was fired, such behaviour is new. Trying to resolve this deadlock by adding a T-transition 
in the reverse direction would introduce a diverging computation not present in the original net. 

All these deviations from the original behaviour can elegantly be captured by the causal equivalence 
from [10], called completed pomset trace equivalence. It extends the pomset trace equivalence of (H as 
to detect local deadlocks, which can be regarded as unjust executions in the sense of 0. 

Pomset trace equivalence is obtained by unrolling a Petri net into a process as defined by [7 ]. Such a 
process can be understood to be an account of one particular way to decide all conflicts which occurred 
while proceeding from one marking to the next. The behaviour of the net is hence a set of these processes, 
covering all possible ways to decide conflicts. 

Unrolling a net N intuitively proceeds as follows: The initially marked places of N are copied into a 
new net JV and their correspondence to the original places recorded in a mapping 71. Then, whenever in 
,/V a transition t is fired, this is replayed in JV by a new transition connected to places corresponding by 7t 
to the original preplaces of t and which are not yet connected to any other post-transition. A new place 
of JVis created for every token produced by t. Again all correspondences are recorded in %. Every place 
of JV has thus at most one post-transition. If it has none, this place represents a token currently being 
placed on the corresponding original place. 

As a shorthand notation to gather these places, we introduce the end of a net. 

Definition 5. LetN = (S,T,F,M Q ,£) be a labelled net. 
The end of the net is defined as N° := {s £ S \ s* = 0}. 

Definition 6. 

A pair T = (JV, n) is a process of a net N = (S, T,F,M Q ,£) iff 
• JV = (f,T,T,JPto,X) is a net, satisfying 

- \fse f.\'s\ < 1 > \s'\ A s G Mo O 's = 
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- Tis acyclic, i.e. \fxefUT.(x,x) 

where T + is the transitive closure of {(t,u) \ T(t,u) > 0}, 

- and {t \ (t,u) G T + } is finite for all u £ J. 

• 7T : / LIT" — )• SU T is a function with C 5 and 7r(7~) C T, satisfying 

- jeM «> [7T _1 (5')ny^)| = 1 for all s£S, 

- n is injective on Mo, 

- Mt G J,sG S.F(s, n(t\) = \n~ l (s) D't\ AF(u(t),s) = \n~ 1 (s)nt'\,md 

- Vt £TJ(t) = £{n{t))E 

T is called finite if yKis finite. 

T is maximal iff 7l(yK°) -><—>•#. The set of all maximal processes of a net N is denoted by MP(N). 
To disambiguate between a not-yet-occurred firing of a transition a and the impossibility of firing an a, 
we restrict the set of processes relevant for the behavioural description to maximal processes. We thereby 
obtain a just semantics in the sense of J9), i.e. a transition which remained enabled infinitely long must 
ultimately fire. 

To abstract from the T-actions introduced in an implementation, we extract from the maximal pro- 
cesses the causal structure between the fired visible events in the form of a partially ordered multiset 
(pomset). Formally, a pomset is an isomorphism class of a partially ordered multiset of action labels. 

Definition 7. 

A labelled partial order is a structure (V, T,<,1) where 

• V is a set (of vertices), 

• T is a set (of labels), 

• < C V x V is a partial order relation and 

• / :V — > T (the labelling function). 

Two labelled partial orders o = (V, T,<,1) and d = (V', T, <',/') are isomorphic, o ~ o', iff there exist 
a bijection <p : V — >■ V' such that 

• Vv G V.l{v) = l'(<p(v)) and 

• Vm,v G V.u < v <^> <p(t«) <' <p(v). 

Definition 8. Let o = (V, T, <,/) be a partial order. 

The pomset of o is its isomorphism class [o] := {o' [ o ~ o'}. 
By hiding the unobservable transitions of a process, we gain a pomset which describes causality relations 
of all participating visible transitions. 

Definition 9. Let T=((f,T,1, Mq , t) , n) be a process. 

Let d := {? G J | /(f) / z}, i.e. the visible transitions of the process. The visible pomset of T is the 
pomset VP(P) := [((7, Act, J* Pi (7 x O, in ((T x Act))] where ?"* is the transitive and reflexive closure 
of the flow relation T. 

MVP(Af) := {VP{?) | T G MP(N)} is the set of pomsets of all maximal processes of N. 
Using this notion we can now define completed pomset trace equivalence. 



Definition 10. 

Two nets ,/V and N' are completed pomset trace equivalent, N ~cpt N', iff MVP(A^) = MVP(N'). 
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Figure 5: An infinite implementation of Figure |2l constructed by taking every maximal process and 
initially choosing one, location borders dotted. 



5 Impossibility 

As completed pomset trace equivalence is a very linear-time equivalence, it disregards the decision struc- 
ture of a system and an implementation like the one of Figured which simply provides a separate branch 
for each possible maximal process of the original net, would be fully satisfactory. In practice though, 
such an infinite implementation is unwieldy to say the least. If however infinite implementations are 
ruled out, our main result shows that no valid implementation of the repeated pure M of Figure |2] exists. 

Before we consider this main theorem of the paper, let us concentrate on two auxiliary lemmata. 
The first states that the careful introduction of a T-transition before an arbitrary transition of a net, as 
described below, does not significantly influence the properties of that net. 

Lemma 1. Let N = (S,T,F,Mo,£) beafinite, 1-safe, distributed net with the distribution function D. Let 

t e T. 

The netN' = (S' ,T' ,F' ,M ,£') with 

• S' = SU{jJ, 

• T' = TU{z t }, 

• F' = (F \ (S x *t)) U {(s, Zt) | s € *f } U {(T t ,s t ), (s t ,t)}, and 




% ifx = x t 
i(x) otherwise 



is finite, 1-safe, distributed and completed pomset trace equivalent to N. 
Proof (Sketch) 

,/V' is finite as only two new elements were introduced. 

N' is completed pomset trace equivalent to ,/V. Given a process (yK, 7i) of Af, a process of A^' can be 
constructed by refining in yK every transition u in the same manner as 7l(u) was in Af. For the reverse 
direction, note that in every maximal processes of N', 7l(u) = t 7i('u) = {s t } A 7i('s t ) = {t,}. By 



2 While £ and I look nearly identical, the authors see no problem in that, given the close correspondence. 
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fusing u, 'u, and "u into a single transition v whenever n{u) = t and setting the process mapping of v to 

t, a maximal process of N' can be transformed into a maximal process of N. 

For the same reason, N' is also 1-safe. 

, , . , f D(t) if x = s t Vjc= T f 

A 7 is distributed with the distribution function D (x) := < . The places m x t are 

ID(jc) otherwise 

on D(t) = D'(x t ). D'(s t ) = D(t) = D'(t). Hence all transitions are on the same location as their preplaces. 
No new parallelism is introduced, as a parallel firing of either T f or t with some other transition u can 
only occur if t and u could already fire in parallel in N. □ 

Next we show, that if a marking is reached twice during an execution, the dependencies of all tokens 
consumed and produced by a transition firing in such a cycle are equal. 

Lemma 2. Let N = (S,T,F,Mq,£) be a finite, 1-safe net. Let t s ,t s +i, . . . ,t,-i,t e G T be a sequence of 
transitions leading from a reachable marking Mbase to the same, i.e. Mbase • • ■ Mbase- 
Then every ti produced tokens that were dependent on the same labels as the tokens on its preplaces. 

Proof. Assume the opposite, i.e. there is a ti for s < i < e such that ?, consumed an L-independent 
token from one of its preplaces (for some L C Act), but produced no L-independent tokens. This L- 
independent token needs to be replaced to again reach M\, ase . However the replacement token needs to 
be L-independent as otherwise a dependency marking different from Mbase would be reached. This token 
can thus not depend on any of the tokens produced by ti, as it would then not be L-independent. In other 
words, had ti not fired, a new L-independent token could also have been produced on its preplaces, i.e. 
Af would not be 1-safe, violating the assumptions. Hence no such ti can be fired, or equivalently, every f, 
produced tokens that were dependent on the same labels as the tokens on its preplaces (which hence all 
have the same dependencies). □ 

We will now show that, given an arbitrary finite, 1-safe net, it is not possible in general to find a finite, 1- 
safe, and distributed net which is completed pomset trace equivalent to the original. As a counterexample, 
consider the repeated pure M of Figure [2] It is a simple net allowing to perform several transitions of a 
and c in parallel, and terminating with a single transition b. The main argument of the following proof 
proceeds as follows: To perform an arbitrary number of a and c-transitions within a finite net there has 
to be a loop. To terminate with b the process has to escape from that loop by disabling all transitions 
leading to a or c. Therefore either a single token is consumed that is dependent on a as well as on c, 
or two different tokens - one a-dependent and one c-dependent - are consumed. In the first case an 
additional iteration of the loop results in an additional causal dependency, i.e., in a causal dependency 
between a and c. In the second case the net is not distributed in the sense of Definition HI 

Theorem 5.1. 

It is in general impossible to find for a finite, 1-safe net a distributed, completed pomset trace equivalent, 
finite, 1-safe net. 

Proof. Via the counterexample given in Figure [2] Suppose a finite, 1-safe, distributed net Ni mp i, which 
is completed pomset trace equivalent to the net of Figure [2l would exist. By refining every ^-labelled 
transition in Ni mp i into two transitions in the manner of LemmaQ] a new net N = (S,T,F, Mq ,£)is derived. 
By Lemma Q] this new net is finite, 1-safe, distributed and completed pomset trace equivalent to the net 
in Figure |2] since Ni mp i is. 

has \S\ places and 3 different labels, every place can hold either no token, or a token dependent 
on any possible combination of the three labels. Since Af is finite so is \S\. Hence Af has at most 9' 5 ' 
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reachable dependency markings. Let m := 9' S L N is able to fire (ac) m b without any step containing 
more than a single transition since the net of Figure [2] is and the two are assumed to be completed 
pomset trace equivalent. Let G\,G2, ■ ■ - G n be the steps fired while doing so. |G,[ = 1 for all i. In the 
course of firing that sequence, at least one dependency marking is bound to be reached twice. Of all 
those dependency markings which occur twice, we take the one occurring last while firing (ac) m b and 
call it Mbase. Let G s ,G s+ \,. . . ,G e \,G e be a sequence of steps between two occurrences of Mbase, i.e. 
Mo x {0} • • -M hase - • • -% M base 

Using Lemma [2] the transitions of the steps G s to G e can be partitioned into subsets Tx based on 
the dependencies of the tokens they produced and consumed. A set Tx includes all transitions produc- 
ing X -dependent, Act \X -independent tokens. By firing G s r\Ti a \,G s+ \ n 7{ a }, . . . ,G e D Ti a \ (skipping 
empty steps) repeatedly, Mbase ==>"• By firing G s n T{ c y , G s+ \ D 7j c | , . . . , G e D 7j c | (skipping empty steps) 
repeatedly, M base =>. 

We now search for the marking, where the decision to fire b is made. 

Assume a reachable marking M of N with M If M this holds for all M'" reachable from 
M" since c cannot be enabled using tokens produced by a transition labelled a or b. Otherwise there 
would exist a pomsets of N in which a c is causally dependent on an a or b. Such a pomset however does 
not exist for the net of Figure [2] thereby violating the assumption of completed pomset trace equivalence. 
If however c is not re-enabled after M" a maximal process including finitely many c but infinitely many 
a's can be produced also leading to a pomset not present in the net of Figure [2] The same argument can 
be applied with the roles of a and c reversed, hence M" => iff M" =>. 

We start from Mbase an d start to fire the steps G s , G s+ \,. . . ,G n until a m cannot be fired any more 
for the first time. This step always exists as after b no further a's or c's may be fired. Call the single 
transition in that step th. The marking right before that transition fired, we call M, the one right after it 

a' 1 ' c" 1 „m fjn 

M . Not only M =>• but also M => and not only M f=> but also M ^=>, as both M and M are reachable 
markings. 

tb is not itself labelled b, as the refined net has a T-transition before the b, and once a token resides on 
the intermediate place, no a-transitions can be fired any more, as otherwise a pomset where an a which 
is not a causal predecessor to a b would be produced, again not existing for the net of Figure [2] 

To disable the trace a" 1 , the transition tb needed to consume a token. If tb had not fired, some G, n 
Ts a \ , s < i < e could have consumed that token, hence that token must be a-dependent, c-independent. 
Similarly, t b must have consumed a token which could have led to c m . This token needs to be c-dependent, 
a-independent. Hence tb has at least two preplaces, which in turn are also preplaces to two different 
transitions, call them t a and t c , which then lead to a m and c m respectivelyjj As they have common 
preplaces t a , % and t c are on the same location. 

From M the net can fire a m consuming only a-dependent, c-independent tokens. It can also fire c m 
consuming only c-dependent, ^-independent tokens. 

Hence there is a sequence of steps leading from M to a marking where t a is enabled, yet only a- 
dependent, c-independent tokens have been removed or added. Similarly there is a firing sequence 
leading from M to a marking where t c is enabled, yet only c-dependent, a-independent tokens have 
been removed or added. As they change disjunct sets of tokens, these two firing sequences can be 
concatenated, thereby leading to a marking where t a and t c are concurrently enabled, yet they are on the 
same location, thereby violating the implementation requirements. □ 

Note that the self-loops of the counterexample are not critical to the success of the proof. 

3 The removal of the token leading to a'" and the one leading to c' n must indeed be done by a single transition % as only a 
single transition was fired between M and M' and both traces were possible in M but impossible in M . 
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This paper only considered 1-safe nets as possible implementations. We conjecture however, that the 
proof of Theorem [5j] can be extended to non-safe nets as well, as from a place where tokens of different 
dependency mix, a transition can always choose the most-dependent token. In particular a transition 
intended to produce independent tokens cannot have such a place as a preplace. Hence every part of 
the net providing independent tokens can do so without depending on firings of labelled transitions. 
The number of independent tokens produced on a place where a labelled transition consumes them is 
thus either finite over every run of the system, or unbounded even without any labelled transition ever 
firing. In both cases that place is unsuitable for disabling a potentially infinitely often occurring loop. If 
only finitely many tokens are produced, the loop can no longer happen infinitely often, if an unbounded 
number of tokens can be produced, no disabling can be guaranteed. 

6 Conclusion 

A review of existing literature in the related area can be found in J4[, nonetheless we wish to refer the 
reader also to (51 , where instead of requiring the equivalence between specification and implementa- 
tion to preserve parallelism, more structural resemblance of the implementation to the specification is 
required. 

A paper not covered earlier is [1], where an algorithm for the automated synthesis of distributed 
implementations of protocols is presented. The notion of distributed Petri nets employed therein differs 
from ours by not requiring formally that no parallelism may occur on the same location. The authors 
however finally generate a finite automaton for each location, again serialising all actions on a single lo- 
cation. In contrast to the present paper and similar to J5j, the authors start with a user-supplied map from 
events to locations, and answer the concrete problem of whether that specific distribution is realisable or 
not instead of requiring the maximal possible parallelism to be realised. 

Comparing the proof of Theorem 15.11 with the proof in JU we observe that the counterexample in 
both proofs is based on two conflicts overlapping by a transition, i.e., on what is therein called a fully 
reachable pure M. In the synchronous setting such an overlapping conflict is solved by the simultaneous 
removal of tokens on different places in the preset. In an asynchronous setting these two conflicts have 
to be distributed over at least two locations. Intuitively, the problem with such a distribution is that it 
prevents the simultaneously solution of the original overlapping conflicts. Instead these two conflicts 
have to be solved in some order. This order must, as done within the encoding presented in ifTOll . be 
enforced by the encoding, leading to additional causal dependencies. 

The present paper adds another patch to the emerging map of the separation plane between those 
equivalences from the spectrum of behavioural equivalences which allow asynchronous implementation 
in general and those which do not. In J31 we showed that Petri nets cannot in general be implemented 
up to step readiness equivalence, thereby giving an upper bound for distributability along the branching- 
time dimension. The present paper provided an upper bound on the dimension of causality. We did not 
formally proof that this bound is tight, and one might imagine that a behavioural equivalence closer to 
the notion of dependency markings exists. However, we were unable to find an equivalence which is 
sensitive to the local deadlock problem outlined in Figure [4] and is not based on processes. The imple- 
mentation of iPTOl can serve as a lower bound on both dimensions. It would be interesting to answer the 
implementability question for systems which feature real-valued time, thereby enabling timeout detec- 
tion and simultaneous action without co-locality. 

That the observed effects are not peculiarities of the Petri net model of systems but a reality of 
asynchronous systems in general is underlined by the existence of an companion paper 0, giving a 
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result similar to the one achieved here in the setting of the asynchronous 7i-calculus. 

A closer look on the proof in [6 ] reveals that this proof depends on counterexamples that are so called 
symmetric networks including mixed choices in a similar way as our result depends on counterexamples 
including a pure M. A symmetric network - for instance R = a + b + bV | b + a + a.f in the second 
part of the proof - consists of some parallel processes that differ only due to some permutation of names. 
In combination with mixed choice, i.e., a choice between input as well as output capabilities, symmetric 
networks result in conflicting steps on different links. Hence in both cases the counterexamples refer to 
some situation in the synchronous setting in which there are two distinct but conflicting steps. To solve 
this conflict two simultaneous activities are necessary - in case of Petri nets two tokens are removed 
simultaneously and in case of the 7i-calculus two sums are reduced simultaneously in one step. In the 
asynchronous setting this simultaneous solution has to be serialised by some kind of lock. It blocks 
the enabling of the asynchronous implementations of source steps, such that no two implementations 
of conflicting source steps are enabled concurrently. In both formalisms, Petri nets and the 7i-calculus, 
it is this temporally blocking of the implementation of source steps, necessary to avoid deadlock or 
divergence in case of conflicting source steps, that leads to additional causal dependencies. 

Apart from this apparent similarity however, much of the relation between the two results remains 
mysterious to us. To begin with, the requirements imposed on Petri net implementations and ^-calculus 
implementations take wildly different forms. Additionally, in contrast to the 7i-calculus result, the present 
paper connected implementation and original by means of behaviour only without any reference to the 
system structure. The 7i-calculus result on the other hand had no need to give special attention to infinite 
implementations. Finally, we also have no explanation for why the difference in expressive power (the 
TT-calculus is turing-complete) should not make a difference for results such as this. We hope to answer 
some of these questions in future work. 

The question up to which behavioural equivalence general Petri nets are implementable can also be 
reversed into the question what properties or substructures of a Petri net make it unimplementable. One 
problematic structure for causal equivalences, identified in this paper, is the net of Figure |2j possibly 
with a more elaborate route from a and c back to the marking enabling all three transitions. We did not 
prove that no fundamentally different problematic structures exists, but we conjecture that this is indeed 
the case. 
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